IDM Scripting Driver for Windows Domain and Local Accounts

Summary

The Novell Identity Manager Scripting Driver allows you to write custom scripts in order to synchronize identity management information from Novell eDirectory™ to an external identity management system. This project contains Microsoft VBScript scripts that allow synchronization from your identity vault (eDirectory) to Windows NT domains or Windows local accounts. Use the scripts right 'out of the box' or customize them further to meet your needs.

Features

Synchronization of user accounts from your identity vault to a Windows NT Domain, Windows local account system, or an Active Directory tree.

Synchronization of groups from your identity vault to Windows, with group memberships.

Synchronization of relevant attributes, like Login Disabled, Password Expiration Time and more, with conversion of Date-type attributes.

Password synchronization from your identity vault to Windows.

Event-based and/or manual synchronization.

Ability to migrate existing users.

May be extended to support users and groups on multiple Windows systems.

Fully customizable VBScript scripts that can be used immediately or extended.

If you have customized your Scripting Driver VBScript scripts, back them up to a different folder.

Download the Scripting-WinDomain.zip package and extract it to your driver directory, C:\Program Files\Novell\WSDriver by default. This will overwrite most of your existing VBScript scripts.

Create a new Driver in eDirectory using iManager. Use the rules\Scripting-WinDomain.xml file for driver configuration. You'll be prompted to enter your domain/system name during configuration.

Start the Driver in iManager and the Novell IDM Windows Script Driver service to begin synchronizing accounts.

Newly created identities will be synchronized to Windows. Identities will use the CN attribute as the (Logon) Name in Windows. You can also migrate existing identities using the driver's Migrate feature. If you need to migrate users with group memberships, migrate all the users first, and then the groups.

Functionality is limited on Active Directory. All users and groups will be created in the Users container in AD. Only a small number of attributes are supported. For more functionality use the Novell Active Directory Driver.

Multi-domain Functionality

Currently the scripts support synchronization to one domain, system or tree. However the scripts were written to be extended to support multiple domains; the functionality wasn't included directly because there are a variety of ways this could be accomplished.

Extending the driver will require knowledge of Identity Manager Driver Policies which are covered in the Identity Manager documentation.

Currently the name of the system is stored in a global configuration value (GCV). This value is used in the Matching Rule and Create Rule in the Driver policies. Below are two ideas for enabling multiple systems.

Object Attribute: An attribute on the User and Group objects contains the domain name. Add this attribute to the Driver filter. The Matching and Create Rules use this attribute instead of the GCV for the domain name.

Container Placement: The name of the container of the object indicates the domain name. The Matching and Create Rules parse this information from the object's DN and send it as the domain name instead of the GCV.